Earlier attempts to associate different authorization-related attributes to clients often relied on the client IP address as a means to identify the client. However, this technique proved not to be very effective, since the IP address of a network device may easily be changed. Furthermore, proliferation of Network Address Translation (NAT) devices and Virtual Private Networks (VPNs) makes it difficult for an access server to identify a particular client solely based on the clients IP address.
Commonly used Kerberos tickets provide a means for applications to share a cryptographically authenticated credential among several applications. However, Kerberos tickets only indicate that a particular user has successfully authenticated to a central network server, thereby establishing a single user session. Kerberos tickets do not convey user capabilities and they do not span multiple user sessions.
The use of hardware tokens for authentication addresses a related need. A hardware token allows a user to prove its identity as well as its possession of a particular physical object. In return, those proven assertions may lead to an expanded access right for a network service. However, a hardware token also does not provide a general means to convey user capabilities of the client.
Thus, it is with respect to these considerations and others that the present invention has been made.